Avoiding and enforcing the GDPR

WELCOME to Connected Rights, your slap in the face of digital rights news and analysis.

LAST YEAR I WROTE ABOUT HOW many of Europe’s data protection authorities are too underfunded to properly enforce the General Data Protection Regulation. With just a few weeks to go now, that’s still the case. Reuters surveyed 24 DPAs and found 17 don’t have the resources or the powers to do their jobs properly, come May 25th.

The latter part isn’t strictly correct – the GDPR is a regulation not a directive, so it doesn’t need to be transposed into national law as such, so the powers should be there. It may be politically unpalatable for the DPAs to go beyond what their governments’ previous data protection legislation allows, though.

GDPR SHIELD IS/WAS a service introduced to help companies avoid falling under the GDPR’s purview… by simply blocking all EU users. Attempting to charge people a monthly fee for a snippet of code, it caused great merriment in the privacy community – not least because the guy running it was in Germany.

APPLE HAS BEEN BOOTING FRENCH MEDIA APPS out of the App Store for transmitting users’ geolocation data to third parties without their consent. Le Figaro‘s app is one victim, and it seems to be down to the fact that it plugs into the “drive-to-store marketing platform” (i.e. location-based ad-targeter) Teemo, whose services have also gotten other apps into trouble with Apple.

Funny, then, that Teemo claims to have been certified as “exceeding all criteria of the European requirements for data protection”, including those in the GDPR, by a German company called ePrivacy. Teemo has an “ePrivacyseal EU” and everything! Somebody here looks silly right now. But who?

APPLE MAY BE PLANNING TO INTRODUCE a new feature in iOS that stops law enforcement from unlocking iPhones by brute-forcing the handsets’ passwords. Specifically, it’s a “USB Restricted Mode” that could counter unlocking devices such as GrayKey – or at least restrict to a week the amount of time in which they could be used to break into the phone.

HOW MANY WEB SERVICES DID RUSSIA’S ANTI-TELEGRAM CRUSADE take out as collateral damage? Four hundred, according to Roskomnadzor, the regulator that carried out the abortive blockade. Casualties included big players like Viber and Yandex. At least one business owner has sued the communications watchdog over the effect on his livelihood.

Meanwhile, Roskomnadzor has also been ordering the blockage of VPNs and proxies that people can use to access the reviled (and still functioning) encrypted messaging service.

Over in Iran, President Hassan Rouhani has come out firmly against that country’s Telegram ban. “If a decision has been made to restrict or block the communication of the people, the real owners of this country, which are the people, should be included in making such decisions,” he said.

A reminder there that Rouhani is often not aligned with the theocratic forces that truly rule Iran (Ayatollah Khamenei appoints the chief of the judiciary). On a non-digital-rights-related note, we may be seeing that issue in the news quite a bit now.

FORMER MICROSOFT VP RAY OZZIE HAS IDEAS about how to allow law enforcement access to people’s encrypted messages. However, as a bunch of cryptographers including Matt Blaze and Ronald Rivest point out, those ideas don’t hold water.

They write: “His basic idea is a combination of storing protected decryption keys on the device plus a scheme that ‘bricks’ devices when its escrowed keys are accessed…the rhetoric surrounding exceptional access refers to thousands of phones that law enforcement can’t open. This requires companies to keep the unwrapping key secure despite its being accessed multiple times a day and thousands of times a year. Contrary to Ozzie’s claims, we don’t know how to do that securely…As security engineers well know, having an outline of an idea is the easy part; the hard part is ensuring the details all work securely.”

TENCENT’S WECHAT APP HAS SO FAR expelled half a billion “fake news” postings from its network, according to a Chinese government report.

According to the South China Morning Post: “Apart from blocking the posts directly, Tencent’s WeChat is working with hundreds of third-party organisations in an effort to block postings and quash ‘rumours’ as part of its overall effort to ‘safeguard cybersecurity’.”

The government report also claims that WeChat needs to step up its data protection, and noted that it has assisted the authorities “in over 3,800 arrests related to illegally obtaining personal information”.

If you’d like me to write articles for you about digital rights issues, speak at your event or provide privacy advice for your business, drop me an email at david@dmeyer.eu.

THE FACIAL RECOGNITION SYSTEMS USED BY South Wales Police at last year’s Champion’s League final were… not terribly successful. They recorded 2,470 possible matches against a custody photo database, of which a whopping 173 were not false positives.

South Wales Police’s press release responding to Wired‘s report is quite a classic, beginning with the line: “Of course no facial recognition system is 100% accurate under all conditions.”

GDPR-RELATED TWEET OF THE WEEK comes from lawyer Ciarán McGonagle: “Just received an email from a wealthy Nigerian Prince. He told me that he doesn’t have any fortune to share with me at the moment but he would appreciate if I could let him know before May 25th if I wish to continue receiving emails.”

About the author

I’m David Meyer, a tech journalist with more than a decade’s experience writing about technology. I’ve covered many topics in that time, though I’m most interested in the policy decisions and technological breakthroughs that will shape our world. You can find me on Twitter as @superglaze and on Facebook as @davidmeyerwrites.